Qualification Guideline - Qualification Guideline for Microsoft Office 365 June 2013

 
Qualification Guideline - Qualification Guideline for Microsoft Office 365 June 2013
Qualification Guideline
Qualification Guideline for Microsoft Office 365
June 2013
Qualification Guideline - Qualification Guideline for Microsoft Office 365 June 2013
Qualification Guideline for Microsoft Office 365

Disclaimer:
This document is meant as a reference to Life Science companies in regards to the Microsoft O365 platform. Montrium does
not warrant that the use of the recommendations contained herein will result in a qualified system or that a system validated
within Office 365 in accordance with this document will be acceptable to regulatory authorities.
This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web
site references, may change without notice.

Limitation of Liability:
In no event shall Montrium or any of its affiliates or the officers, directors, employees, members, or agents of each of them, be
liable for any damages of any kind, including without limitation any special, incidental, indirect, or consequential damages,
whether or not advised of the possibility of such damages, and on any theory of liability whatsoever, arising out of or in
connection with the use of this information.

© 2013 Montrium Inc.                                                                                                         Page 2 of 74
                                                                                                       Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

                                         Authors

Michael Zwetkow                     VP Operations, Montrium Inc.
Stephanie Tanguay                   Quality Assurance Manager, Montrium Inc.
Paul Fenton                         CEO, Montrium Inc.
Gabrielle Soucy                     Sr. Business Analyst, Montrium Inc.

© 2013 Montrium Inc.                                                                            Page 3 of 74
                                                                          Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

                                             Foreword
Over the last few years, Microsoft has paid an increasing amount of attention to a couple of key
concepts that are represented in this whitepaper: compliance and the cloud. Together these concepts
represent a fairly radical departure from normal business. By enabling cloud technologies, which provide
an ease of use and ease of implementation, with compliance, which provides the ability to work with
information in a regulatory compliant fashion, the implementing party may find the best of both worlds.

This set of guideline whitepapers show how Microsoft is committed to cloud and compliance, spanning
Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), a
relatively unique combination of technologies and commitment to compliance.

At the end of the day these are qualification guidelines and do not represent any guarantees from
Microsoft that your processes can be validated in any of the environments discussed or against any of
the regulations or standards discussed. Yet when paired with the documentation referred to herein
along with customer evidence, these guidelines offer customers a starting point for their own
“compliance in the cloud” efforts, a starting point that may be furthered by the expertise Montrium has
demonstrated in producing these guidelines.

Mohamed Ayad, Cloud Solution Specialist
Les Jordan, Chief Technology Strategist
Health & Life Sciences Industry Unit
Microsoft

© 2013 Montrium Inc.                                                                                  Page 4 of 74
                                                                                Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

                                        Executive Summary
The purpose of this document is to assist Microsoft’s life science customers in establishing a
qualification strategy for the Microsoft Office 365 (O365) software service. This guideline identifies the
responsibilities shared by Microsoft and its customers for meeting the regulatory requirements of FDA
21 CFR Part 11 Electronic Records; Electronic Signatures (21 CFR Part 11) and EudraLex Volume 4 - Annex
11 Computerised Systems (Annex 11).
The intended audience for this guideline is any regulated customer within the life sciences industry,
aiming to use the O365 platform to run GxP regulated applications. It is assumed that these regulated
applications will support GxP activities and produce and/or manage electronic records.
Traditionally GxP computerized systems have been deployed on specific servers either directly or
through the use of virtual machines. This underlying hardware was usually qualified, managed and
specifically identified as being part of a specific instance of a GxP computerized system. With cloud
computing this paradigm changes slightly. The O365 software solution is composed of many hardware
and software components which all fall under the same controls that have been identified in this
guideline. Each time a new customer instance of O365 is commissioned, it is done using the same
controlled process and standards. When considering public cloud based systems, it is important to view
the whole public cloud as one system upon which we are able to install and run GxP computerized
systems and applications. This guideline will help companies achieve this by providing references to the
21 CFR Part 11 controls that are present within the O365 environment and that should be identified in
customer qualification documentation.
Microsoft’s GFS and O365 platform services have undergone SSAE 16 Service Organization Control (SOC)
audits and are also certified according to ISO/IEC 27001:2005 standards. Although these standards do
not specifically focus on regulatory compliance, their objectives are very similar to those of 21 CFR Part
11 and Annex 11. Montrium has therefore decided to leverage the reports produced by independent
third party SSAE and ISO auditors to identify the procedural and technical controls established at
Microsoft that could be used to satisfy the requirements of 21 CFR Part 11 and Annex 11. It was
assumed that these audit reports were generated by qualified third party auditors and that all
information contained within the reviewed audit reports was objective and accurate at the time of the
audits. It is expected that customers will perform an independent analysis and verification of relevant
regulatory requirements to determine if the GxP applications deployed on O365 are fit for their
intended purpose. The customer must also ensure that GxP applications system will be sufficiently
documented and validated to further demonstrate compliance.
GFS delivers the core infrastructure and foundation technologies for Microsoft's Online Services
environment. Microsoft Office O365 is subscription-based software service hosted by the Global
Foundation Services (GFS) group within Microsoft managed data centers. The services included as part
of O365 are Microsoft SharePoint Online, Microsoft Exchange Online, Microsoft Lync Online and
Microsoft Forefront Online Protection for Exchange. This guideline focuses on the Microsoft SharePoint
Online service, which is the only O365 service which when configured appropriately, provides the ability

© 2013 Montrium Inc.                                                                                    Page 5 of 74
                                                                                  Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

to manage electronic records in manner that could satisfy applicable regulatory requirements. The O365
platform is classified as a public, off-premise, third-party managed solution which is offered via the SaaS
cloud service model. From the perspective of a regulated user (customer), Microsoft Office is considered
to be Category 4 – Configured Product as defined in GAMP5®. O365 is considered to be an “open
system” per 21 CFR Part 11, therefore additional measures, such as encryption should be employed to
further secure information stored within or transiting from the system. It should be noted that only
certain versions of O365 is able to meet the 21 CFR Part 11 requirements for open systems.
Audited controls implemented by Microsoft serve to ensure confidentiality, integrity and availability of
data stored on O365 and correspond to the applicable regulatory requirements defined in 21 CFR Part
11 and Annex 11 that have been identified as the responsibility of Microsoft. Microsoft is responsible for
ensuring that O365 meets the terms defined within the governing Service Level Agreements (SLA).
In addition to ensuring that computerized systems have the relevant technical controls outlined in the
assessment contained within the guideline, the customer is also responsible for ensuring adequate
procedural controls governing the use of the GxP computerized system are in place. These procedural
controls should cover the technical aspects of system management, including but not limited to logical
security, user management, data backup and disaster recovery. There should also be procedural
controls relating to the operation of the GxP computerized system. The customer should determine the
GxP requirements that apply to the computerized system based on its intended use and follow internal
procedures governing qualification and/or validation processes to demonstrate that the GxP
requirements are met.
In conclusion, following the assessment performed by Montrium, it is felt that the audited procedural
and technical controls that Microsoft has implemented could serve to demonstrate that the O365
platform is being maintained in a state of control that is in accordance with the applicable regulatory
requirements. Moreover, the customer may leverage the audited controls described in this document
and related audit reports as part of the risk analysis and qualification effort of their GxP applications
deployed in the O365 environment.

© 2013 Montrium Inc.                                                                                     Page 6 of 74
                                                                                   Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

                                                               Table of Contents
Authors.......................................................................................................................................................... 3
Foreword....................................................................................................................................................... 4
Executive Summary....................................................................................................................................... 5
Table of Contents .......................................................................................................................................... 7
1      Introduction .......................................................................................................................................... 8
    1.1        Purpose ......................................................................................................................................... 8
    1.2        Key Definitions .............................................................................................................................. 8
    1.3        Audience and Scope ...................................................................................................................... 9
    1.4        Methodology................................................................................................................................. 9
    1.5        Glossary ....................................................................................................................................... 11
2      System Overview................................................................................................................................. 14
    2.1        Global Foundation Services......................................................................................................... 14
    2.2        Microsoft Office 365 ................................................................................................................... 14
    2.3        System Classification ................................................................................................................... 15
    2.4        Microsoft Audits and Certifications ............................................................................................ 16
    2.5        Microsoft Controls ...................................................................................................................... 18
3      Qualification Approach ....................................................................................................................... 23
    3.1        Qualification Activities and Responsibilities ............................................................................... 24
    3.2        US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment ..... 26
    3.3        EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment ....................... 40
4      Conclusion ........................................................................................................................................... 70
5      References .......................................................................................................................................... 71
6      Appendices .......................................................................................................................................... 72
    Appendix A.           Recommended Procedures / Policies ............................................................................. 72

© 2013 Montrium Inc.                                                                                                                                 Page 7 of 74
                                                                                                                              Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

1     Introduction
1.1     Purpose
        The purpose of this document is to assist Microsoft’s life science customers in establishing a
        qualification strategy for the Microsoft Office 365 (O365) software service, which is hosted on the
        infrastructure provided by the Global Foundation Services (GFS) group within Microsoft. The
        guidance provided in this document is based on the assumption that Microsoft’s customers will
        utilize the O365 service as a GxP application to perform GxP regulated activities.
        This guideline identifies the responsibilities shared by Microsoft and its customers for meeting the
        regulations specified within Section 1.2. A summary is provided of the procedural and technical
        controls which govern the O365 service and can be leveraged by the regulated user (customer) to
        demonstrate compliance with applicable regulatory requirements. Also summarized within this
        guideline, are recommended activities and controls that should be established by customers in
        order qualify and maintain control over the GxP application configured to run on O365.
        The qualification approach outlined within this guideline is based on industry best practices with
        an emphasis on the concepts presented and described within ISPE’s, GAMP® series of Good
        Practice Guides (Ref. [7]) and PIC/S PI 011-3 Good Practices for Computerised Systems in
        Regulated ‘GxP’ Environments (Ref. [17]).
1.2     Key Definitions
1.2.1    GxP computerized system
         A GxP computerized system is defined as application configured on the O365 platform that will
         support activities and records governed by regulations pertaining to GLP, GCP and GMP
         environments.
1.2.2    GxP activity
         Any regulated activity performed with the context of GLP, GCP and GMP environments.
1.2.3    Customer
         Within the context of this guideline, the customer is defined as any person or persons using a
         GxP computerized system hosted on the O365 platform, who are responsible for the content of
         the electronic records produced and/or managed within the GxP computerized system.
1.2.4    Customer Data on Storage
         As per the Microsoft O365 Privacy Statement (Ref. [19]), “Customer Data is all the data,
         including all text, sound, software or image files that you provide, or are provided on your
         behalf, to us through your use of the Services.” For example, Customer Data on storage includes
         data that customers upload for storage or processing in the O365 platform, and applications
         that customer or customer’s end users upload for hosting in the Services. Customer Data on
         Storage does not include configuration or technical settings and information. Microsoft does not

© 2013 Montrium Inc.                                                                                      Page 8 of 74
                                                                                    Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

         monitor or approve the applications that customers configure on O365. Microsoft does not
         claim ownership of the Data on Storage. Microsoft’s Online Services Use Rights (Ref. [20]) states
         “you [the customer] retain all right, title and interest in and to customer data. We [Microsoft]
         acquire no rights in customer data, other than the rights you grant to us for the applicable
         online service. This does not apply to software or services we license you.” Data security beyond
         the access controls mechanisms, including but not limited to fine-grain access controls or
         encryption, is the responsibility of the customer.
1.3    Audience and Scope
       The intended audience for this guideline is any regulated customer within the life sciences
       industry, aiming to configure the O365 platform for use as a GxP application(s). It is assumed that
       the application will support GxP activities and produce and/or manage electronic records. The
       specific GxP activities performed within the customer’s O365 environment are not addressed in
       this guidance document, as the customer is responsible for defining the requirements and
       evaluating the risk associated with each GxP application within the O365 environment.
       The regulations within the scope of this qualification guidance document are limited to the
       following:
              FDA 21 CFR Part 11 Electronic Records; Electronic Signatures - Subpart A and B (Sec 11.10
               and Sec 11.30) (Ref. [5])1
              EudraLex Volume 4 - Annex 11 Computerised Systems (Ref. [8])2
       The O365 platform consists of several services as described in Section 2.2; however, Microsoft
       SharePoint Online is the only service which could provide the ability to generate or manage
       electronic records within the context GxP regulated activities. Therefore, this guidance will focus
       on the functionality of SharePoint Online as it relates to the management of electronic records.
       This guideline also covers the underlying infrastructure components provided by the Global
       Foundation Services group upon which the O365 service is delivered to Microsoft customers.
1.4    Methodology
       Microsoft’s GFS and O365 platform services have undergone SSAE 16 Service Organization Control
       (SOC) audits and are also certified according to ISO/IEC 27001:2005 standards (see Section 2.4).
       Montrium has leveraged the reports produced by independent third party auditors to identify
       procedural and technical controls established at Microsoft which could be used to satisfy

1
 21 CFR Part 11 subparts related to electronic signatures are out of scope for this guide, as Microsoft does not
provide electronic signature functionality as part of the above services.
2
 Although Eudralex Volume 4 Annex 11 specifically discusses GMP systems, it is generally accepted in industry that
the same principals in the most part are applicable to GCP and GLP systems.

© 2013 Montrium Inc.                                                                                             Page 9 of 74
                                                                                           Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

       regulatory requirements within US FDA 21 CFR Part 11 (Ref. [5]) and EudraLex Volume 4 - Annex
       11 (Ref. [8]). These controls are described in detail in Section 2.5. Montrium based the analysis on
       the ISO and SSAE 16 standards as they have similar objectives to 21 CFR Part 11 and EudraLex
       Volume 4 - Annex 11 in relation to controls for computerized systems.
       The qualification approach summarizes the activities and responsibilities shared between the
       regulated user (customer) and the cloud service provider (Microsoft) to qualify the system against
       the relevant regulatory requirements. A detailed assessment (see Section 3.2 and 3.3) was
       performed on each regulatory requirement to interpret how compliance could be achieved within
       the context of a GxP computerized system configured on the O365 platform. The assessment
       described the responsibilities of the customer and Microsoft, as well as the activities,
       documentation and controls (technical/procedural) that are required to meet the regulatory
       requirement.
       The contents of this document are based on these assumptions:
                Audit reports listed in Section 2.4 were generated by qualified third party auditors;
                All information contained within the reviewed audit reports was objective and accurate at
                 the time of the audits;
                Customers will perform an independent analysis and verification of related regulatory
                 requirements to determine if the O365 platform is fit for its intended purpose;
                The O356 application(s) will be sufficiently documented and validated by the customer to
                 demonstrate compliance with all applicable regulations;
                The customer will use only out-of-the-box functionality and will not be installing
                 developing any customizations or 3rd party applications within the O365 environment.

© 2013 Montrium Inc.                                                                                   Page 10 of 74
                                                                                   Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

1.5      Glossary

Term                      Definition
AICPA                     American Institute of Certified Public Accountants
CFR                       Code of Federal Regulations
Closed System             An environment in which system access is controlled by persons who are
                          responsible for the content of electronic records that are on the system.3
Cloud                     The capability provided to the consumer is to provision processing, storage,
Infrastructure as a       networks, and other fundamental computing resources where the consumer is
Service (IaaS).           able to deploy and run arbitrary software, which can include operating systems
                          and applications. The consumer does not manage or control the underlying cloud
                          infrastructure but has control over operating systems, storage, deployed
                          applications, and possibly limited control of select networking components (e.g.,
                          host firewalls).4
Cloud Platform as         The capability provided to the consumer is to deploy onto the cloud infrastructure
a Service (PaaS)          consumer-created or acquired applications created using programming languages
                          and tools supported by the provider. The consumer does not manage or control
                          the underlying cloud infrastructure including network, servers, operating systems,
                          or storage, but has control over the deployed applications and possibly application
                          hosting environment configurations.4
Cloud Software as         The capability provided to the consumer is to use the provider’s applications
a Service (SaaS)          running on a cloud infrastructure. The applications are accessible from various
                          client devices through a thin client interface such as a Web browser (e.g., Web-
                          based email). The consumer does not manage or control the underlying cloud
                          infrastructure including network, servers, operating systems, storage, or even
                          individual application capabilities, with the possible exception of limited user
                          specific application configuration settings.
Computerized              Includes hardware, software, peripheral devices, personnel, and documentation;
System                    e.g., manuals and Standard Operating Procedures.5
Customer                  O365 user using the software service for GxP regulated activities.
CV                        Curriculum Vitae

3
    FDA 21 CFR Part 11 (Ref. [4]).
4
    NIST Cloud Computing Standards Roadmap (Ref. [9])
5
    FDA, Glossary of Computer Systems Software Development Terminology (8/95)

© 2013 Montrium Inc.                                                                                      Page 11 of 74
                                                                                      Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

Term                    Definition
Electronic Record       Any combination of text, graphics, data, audio, pictorial, or other information
                        representation in digital form that is created, modified, maintained, archived,
                        retrieved, or distributed by a computer system.3
FDA                     United States Food and Drug Administration
GAMP                    Good Automated Manufacturing Practice
GFS                     Global Foundation Services
GCP                     Good Clinical Practice
GLP                     Good Laboratory Practice
GMP                     Good Manufacturing Practice
GxP                     Compliance requirements for all good practice disciplines in the regulated
                        pharmaceutical sector supply chain from discovery to post marketing.6
IaaS                    Infrastructure as a Service
ID                      Identifier
IEC                     International Electrotechnical Commission
ISO                     International Organization for Standardization
ISPE                    International Society of Pharmaceutical Engineers
IT                      Information Technology
NDA                     Non-Disclosure Agreement
NIST                    National Institute of Standards and Technology
Open System             An environment in which system access is not controlled by persons who are
                        responsible for the content of electronic records that are on the system.3
O/S                     Operating System
PaaS                    Platform as a Service
PIC/S                   Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-
                        operation Scheme
Procedure               The term “procedure” within the context of this document refers to any approved
                        and effective controlled document governing specific processes (i.e. Policy, SOP,
                        Standard, Guide, Work Instruction).

6
    PIC/S (Ref. [17])

© 2013 Montrium Inc.                                                                                     Page 12 of 74
                                                                                     Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

Term                   Definition
SaaS                   Software as a Service
SDLC                   Software Development Lifecycle
SLA                    Service Level Agreement
SMAPI                  System Management Application Program Interface
SOC                    Service Organization Controls
SOP                    Standard Operating Procedure
SSAE                   Statement on Standards for Attestation Engagements
SSL                    Secure Sockets Layer
STB                    Microsoft Server and Tools Business
TLS                    Transport Layer Security
TSP                    Trust Services Principles
VM                     Virtual Machine
VPN                    Virtual Private Network

© 2013 Montrium Inc.                                                                            Page 13 of 74
                                                                            Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

2     System Overview
2.1    Global Foundation Services
       Global Foundation Services (GFS) delivers the core infrastructure, foundation technologies and
       operational support for Microsoft's Online Services environment, including O365. As described
       within the GFS SOC 2 report (Ref. [2]), the GFS operational infrastructure services include the
       following:
              Engineering and operations for core infrastructure (networking, directory services, access
               services, data retention and backup, hardware and software procurement, physical and
               environmental controls)
              Deployment, hosting and data center services
              Service support, monitoring and escalation
              Information security management and compliance monitoring
2.2    Microsoft Office 365
       Microsoft Office O365 is subscription-based software service hosted by the Global Foundation
       Services group within Microsoft managed data centers. As described within the O365 SOC 1
       report (Ref. [1]), the O365 hosted service is offered in two ways:
              Microsoft Office 365 – where all customers receive a standard set of features they
               subscribe to, hosted on a multi-tenant basis
              Microsoft Office 365 Dedicated (O365-D) – hosts applications and services with a separate,
               secured hardware infrastructure dedicated to a single customer
       The services included as part of O365 and O365-D are: Microsoft SharePoint Online, Microsoft
       Exchange Online, Microsoft Lync Online and Microsoft Forefront Online Protection for Exchange.
       This guideline will focus on the Microsoft SharePoint Online service, which is the only O365
       service which when configured appropriately, provides the ability to manage electronic records in
       manner that could satisfy applicable regulatory requirements (see Section 1.3). SharePoint Online
       allows users to create and store data as well as documents in lists and libraries within SharePoint
       which can be configured with audit trails and versioning. In addition, user permissions can be
       configured to control access to the content stored with the various lists and libraries.

© 2013 Montrium Inc.                                                                                    Page 14 of 74
                                                                                    Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

        In order to be able to meet regulatory requirements for encryption, the software service must
        also provide the ability to encrypt data which is stored within the application. The Active Directory
        Rights Management functionality can be configured to encrypt documents stored with
        SharePoint. However, this functionality is only available with the SharePoint Online Plan 2 option,
        which is included in the following O365 plans:
              Office 365 Enterprise E3
              Office 365 Education A3
              Office 365 Government G3
              Office 365 Enterprise E4
              Office 365 Education A4
              Office 365 Government G4
2.3     System Classification
2.3.1    Cloud Service Model
         The O365 platform is classified as a public, off-premise, third-party managed solution which is
         offered via the SaaS cloud service model (see NIST definition in Section 1.5). The following
         diagram depicts the various components of the software service which are managed by
         Microsoft as part of the SaaS service model.

                         Figure 1 – SaaS Cloud Service Model (based on Ref. [18])

© 2013 Montrium Inc.                                                                                     Page 15 of 74
                                                                                     Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

2.3.2    GAMP5® Category
         From the perspective of a regulated user (customer), Microsoft Office is considered to be
         Category 4 – Configured Product as defined in GAMP5® (Ref. [6]). A configured product refers to
         a commercially available software product which is configured to meet a specific business
         requirement.
2.3.3    FDA Classification
         While Microsoft is not directly responsible for the electronic records contained within the O365
         platform, it is responsible for maintaining the O365 platform. In addition, Microsoft configures
         the O365 platform and establishes access control requirements for logical and physical security.
         The O365 platform is therefore considered to be “open” (refer to definition in Section 1.5). The
         FDA requires open systems to meet additional requirements, such as encryption, as defined in
         21 CFR Part 11.30 (Ref. [5]).
2.4     Microsoft Audits and Certifications
        The following table lists the formal audit reports prepared by third parties which were reviewed
        by Montrium in order to identify relevant controls which have a potential impact on compliance
        with the 21 CFR Part 11 (Ref. [5]) and Annex 11 (Ref. [8]) regulations. Existing Microsoft customers
        may request access to these reports subject to NDA terms and conditions, through their
        respective Microsoft account representatives.

         Audited Service             Audit Type             Date                      Reference No.
         GFS                         SOC 2 Type II          April 18, 2012            Ref. [2]
         Office 365                  SOC 1 Type II          June 14, 2012             Ref. [1]
         Office 365                  ISO/IEC 27001:2005     November 16, 2012         Ref. [3]

2.4.1    ISO/IEC 27001:2005 Certification
         ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating,
         monitoring, reviewing, maintaining and improving a documented information security
         management system within the context of the organization's overall business risks. It specifies
         requirements for the implementation of security controls customized to the needs of individual
         organizations or parts thereof.
         ISO/IEC 27001:2005 certifications for O365 and Global Foundation Services can be found by
         clicking on the following links:
                  Microsoft Office 365 ISO/IEC 27001:2005 certificate
                  GFS ISO/IEC 27001:2005 certificate

© 2013 Montrium Inc.                                                                                    Page 16 of 74
                                                                                    Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

2.4.2    SOC Service Audit Reports
         Service Organization Controls reports are designed by the American Institute of Certified Public
         Accountants (AICPA) to help service organizations that operate information systems and provide
         information system services to other entities, build trust and confidence in their service delivery
         processes and controls through a report by an independent Certified Public Accountant.
         SOC 1 Service Audit Reports are conducted in accordance with the professional standard known
         as Statement on Standards for Attestation Engagements (SSAE) No. 16. SOC 1 reports are geared
         towards reporting on controls at service organizations that are relevant to Internal Control over
         Financial Reporting, and replace the SAS 70 auditing standard.
         The O365 services group has been audited by independent third party auditors to generate a
         SOC 1 Service Auditor’s report which examined the following control areas:
                  Logical Access
                  Change Management
                  Backup and Restoration
                  Monitoring and Incident Management
                  Software Development Lifecycle (SDLC)
                  Network Services
         SOC 2 Service Auditor’s Reports are also conducted in accordance with the professional
         standard of SSAE 16. SOC2 reports are intended to meet the needs of a broad range of users
         that need to understand internal control at a service organization as it relates to security,
         availability, processing integrity, confidentiality and privacy and are intended for use by
         stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service
         organization that have a thorough understanding of the service organization and its internal
         controls.
         The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles
         (TSP) which are composed of the following five (5) sections:
                  The security of a service organization' system
                  The availability of a service organization's system
                  The processing integrity of a service organization's system
                  The confidentiality of the information that the service organization's system processes
                   or maintains for user entities
                  The privacy of personal information that the service organization collects, uses, retains,
                   discloses, and disposes of for user entities
         The GFS services group has undergone a SOC 2 audit, to examine the suitability of the design
         and operating effectiveness of controls to meet the criteria for the security principle set forth in
         TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing
         Integrity, Confidentiality, and Privacy (Ref. [11]).

© 2013 Montrium Inc.                                                                                      Page 17 of 74
                                                                                      Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

2.5     Microsoft Controls
        This section describes the audited controls implemented by Microsoft which serve to assure
        confidentiality, integrity and availability of data stored on the O365 platform. These controls are
        also referenced within the compliance assessment sections (see Section 3.2 and 3.3), where they
        respond to applicable regulatory requirements.
2.5.1    Security Policies and Procedures
         Microsoft has implemented a Security Policy which applies to Microsoft O365. The Security
         Organization control objective within the SOC 1 audit reported that the information security
         policies are implemented and communicated to the applicable employees.
         The GFS SOC 2 audit reported that the security policies are established, periodically reviewed
         and approved by a designated individual or group.
         The O365 ISO/IEC 27001:2005 audit reported that an approved information security policy has
         been published and communicated to all employees and relevant external parties.
2.5.2    Physical and Environmental Security
         The physical assets on which the O365 system resides Microsoft has been audited to verify that
         proper physical security controls are established to protect the physical assets forming the
         foundation of the O365 platform as part of the GFS SOC 2 audit report.
         The GFS SOC 2 audit reported that the GFS services group has implemented procedures to
         restrict physical access to the infrastructure elements including, but not limited to:
                  Facilities
                  Backup media
                  Firewalls
                  Routers
                  Servers
         The GFS ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking
         and monitoring physical infrastructures and services, as well as a documented methodology for
         determining the asset security level.
2.5.3    Logical Security
         The O365 SOC 1 audit reported that Microsoft has implemented logical security controls to
         provide reasonable assurance that logical access to the O365 production infrastructure and
         systems is restricted to authorized personnel. User Account Management is performed using
         Active Directory which centralizes the authentication and authorization to the O365
         environment. Policies and standards have been implemented to enforce appropriate user
         account password expiration, length, complexity and history.

© 2013 Montrium Inc.                                                                                   Page 18 of 74
                                                                                   Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

         The GFS SOC2 audit reported that the GFS services group has implemented procedures to
         restrict logical access to the system including, but not limited to, the following measures:
              a. Logical access security measures to restrict access to information resources not deemed
                 to be public
              b. Identification and authentication of users
              c. Registration and authorization of new users
              d. The process to make changes and updates to user profiles
              e. Distribution of output restricted to authorized users
              f. Restriction of access to offline storage, backup data, systems and media
              g. Restriction of access to system configurations, super-user functionality, master
                 passwords, power utilities and security devices (for example, firewalls)
         The O365 ISO/IEC 27001:2005 audit reported that the logical access to the system is restricted
         to authorized personnel in accordance with an enforced access control policy.
2.5.4    System Monitoring and Maintenance
         The O365 SOC 1 audit reported that proper controls are established to provide reasonable
         assurance that the O365 platform is monitored to detect and remediate any security
         vulnerabilities.
         The following activities/controls were audited in relation to system monitoring and
         maintenance:
                  Vulnerability and Patch Management
                  Security Incident Management
         The GFS SOC 2 audit reported that proper controls are established to monitor the GFS
         infrastructure components and proper actions are taken to maintain compliance within its
         defined system security policies. Automated tools are used to monitor the security controls on a
         regular basis. The GFS group monitors, logs, reports and takes appropriate action to resolve
         events involving critical/suspicious activities.
2.5.5    Data Backup, Recovery and Retention
         The O365 SOC 1 audit reported that O365 utilizes secure backup system infrastructure delivered
         by the Global Foundation Services Data Protection Services.
         The GFS SOC 2 audit reported that the GFS Data Protection Services group provides secure
         backup retention and restoration of data in the Microsoft Online Services environment. The
         audit also reported that the recovery and backup process is tested on an annual basis
2.5.6    Confidentiality
         The following excerpt for the publicly available Office 365 Standard Response to Request for
         Information - Security and Privacy (Ref. [13]) describes the technical controls which help to
         ensure confidentiality of data as it transmits between the customer and the O365 platform:

© 2013 Montrium Inc.                                                                                 Page 19 of 74
                                                                                 Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

         “Customer access to services provided over the Internet originates from users’ Internet-enabled
         locations and ends at a Microsoft data center. These connections established between
         customers and Microsoft data centers are encrypted using industry-standard Transport Layer
         Security (TLS) /Secure Sockets Layer (SSL). The use of TLS/SSL effectively establishes a highly
         secure browser-to-server connection to help provide data confidentiality and integrity between
         the desktop and the data center. Filtering routers at the edge of the Office 365 services network
         provides security at the packet level for preventing unauthorized connections to Office 365
         Services.”
         The GFS SOC 2 audit reported that encryption or other equivalent security techniques are used
         to protect user authentication information and the corresponding session transmitted over the
         internet or other public networks.
2.5.7    Software Development / Change Management
         The O365 SOC 1 audit reported that a formal SDLC process is defined which governs the
         development of new features or major changes to the O365 platform with the goal of
         minimizing processing errors and security vulnerabilities within the environment. The SDLC
         process encompasses the following phases:
                  Requirements gathering
                  Design
                  Implementation
                  Verification
                  Release
         Key stakeholders are required to provide approval of the tested code prior to deployment of
         newly developed or changed code into the production environment.
         The O365 SOC 1 audit also reported that a formal change control process has been established
         to provide reasonable assurance that changes to the production environment are made in a
         controlled manner. Ticketing systems are used to track changes which contain documented
         details including appropriate authorizations and approvals.
         The GFS SOC 2 audit of the GFS services verified adequate IT change management controls are
         established surrounding the following topics:
                  Service Infrastructure and Support Systems Change Management
                  Secure Configuration – Imaging
                  Network Change Management
                  Network Patch Management
         The O365 ISO/IEC 27001:2005 audit reported that a procedural document covering change
         management is in place which covers security impact analysis, change control and component
         inventory management.

© 2013 Montrium Inc.                                                                                  Page 20 of 74
                                                                                  Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

2.5.8    Incident Management
         The O365 SOC 1 audit reported that adequate processes are established governing how
         incidents within the production environment are documented and resolved in a timely manner.
         The processes are part of an incident management framework that includes defined process
         roles, responsibilities, and communications for managing the detection, escalation and response
         to incidents.
         The GFS SOC 2 audit reported that procedures exist to identify, report, and act upon system
         security breaches and other incidents. The Security Incident Management team ensures the
         Security Response procedures are tested annually.
         The O365 ISO/IEC 27001:2005 audit reported that mechanisms are in place for logging and
         monitoring security incidents in O365. Any security events are reported in a timely manner
         through the appropriate management channels.
2.5.9    Service Level Agreements
         Microsoft provides Service Level Agreements (SLA) related to the O365 and O365-D Dedicated
         application service, which are available for download from the Microsoft website.
2.5.10 Risk Assessment
         The O365 SOC 1 audit reported that as part of the SDLC process Microsoft has implemented a
         comprehensive threat modeling process to identify potential security and privacy issues.
         Detailed risk assessments covering both security and privacy are performed with the objective
         of remediating any issues detected.
         The GFS SOC 2 audit reported that risk assessments are performed within the context of
         network device change management to evaluate potential risks associated with the change.
2.5.11 Documentation / Asset Management
         The procedure governing software development was audited against a control objective which
         stipulates that the development of new features or major changes must be documented. In
         addition, Microsoft has confirmed to Montrium that a Document and Records Management
         procedure governing protection and retention of documentation is in force. Microsoft has also
         indicated to Montrium that the baseline configuration of O365 components is documented,
         managed, maintained and controlled for access via access control mechanisms. Additionally, this
         configuration is performed according to the Asset management guidelines.
2.5.12 Training Management
         The O365 SOC 1 audit reported that all Microsoft employees receive mandatory training on
         Microsoft Standards of Business conduct on an annual basis. Microsoft O365 staff and
         contingent staff are accountable for understanding and adhering with the Microsoft Online
         Services Security Policy.

© 2013 Montrium Inc.                                                                                 Page 21 of 74
                                                                                 Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

         The GFS SOC 2 audit reported security policies concerning information security and business
         conduct were implemented. Training is mandatory for all employees on these policies.
         Procedures and standards cover policy training and training requirements. Training is
         documented and compliance with training requirements is monitored.
         The O365 ISO/IEC 27001:2005 audit reported that Microsoft has a formal security and
         awareness training program which includes security responsibilities, asset ownership, and
         classification.
2.5.13 Disaster Recovery
         The GFS SOC 2 audit reported processes for backing-up critical components and data, customer
         data and credentials are defined and tested on an annual basis. Backup frequency and retention
         period is based on the type of data. Data centers used for backup are in a different geographical
         location than the primary data center.
         The O365 ISO/IEC 27001:2005 audit reported that Microsoft has a formal business continuity
         process that describes the information security requirements.
2.5.14 Vendor Management
         The O365 SOC 1 audit reported that third party vendors have specific statements of work with
         service level agreements that are monitored for compliance and adherence. The Microsoft
         Online Services Delivery Platform group works with vendor companies to perform background
         checks on individuals before they are granted access to the production environment.

© 2013 Montrium Inc.                                                                                  Page 22 of 74
                                                                                  Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

3      Qualification Approach
Qualification is defined as “a process of demonstrating the ability of an entity to fulfill specified
requirements. In the context of an IT Infrastructure, this means demonstrating the ability of components
such as servers, clients, and peripherals to fulfill the specified requirements for the various platforms
regardless of whether they are specific or of a generic nature.”7 According to industry best practices as
proposed within the GAMP Good Practice Guide: IT Infrastructure Control and Compliance7, in order for
an IT infrastructure platform to be considered qualified and compliant, the following critical aspects
need to be considered:
          Installation and operational qualification of infrastructure components
          Configuration management and change control of infrastructure components
          Management of risks to IT Infrastructure
          Involvement of service providers in critical infrastructure processes
          Security management in relation to access controls, availability of services and data integrity
          Data Backup, Restore, Disaster Recovery, Archiving
In the context of a public SaaS cloud service model, the customer does not have control over the
underlying infrastructure hardware and software components, nor to the application itself. The cloud
service provider is responsible for managing and maintaining these components and ensuring that they
meet the terms defined within the governing Service Level Agreement(s). Microsoft has implemented
controls (see Section 2.5) which encompass these critical aspects of IT infrastructure compliance.

                                   Applications                                                          Validation

                                  Infrastructure
                                 Software & Tools

                              Network Components
                                                                                                       Qualification
                             Infrastructure Hardware

                               Data Center Facilities

                       Figure 2 – Qualification of Infrastructure vs. Validation of Applications
Validation consists of demonstrating, with objective evidence, that a system meets the requirements of
the users and their processes and is compliant with applicable GxP regulations. In order to remain in a
validated state, appropriate operational controls must be implemented throughout the life of the
system. As such, validation is performed by the regulated users (customer) of the GxP computerized

7
    ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Ref. [7])

© 2013 Montrium Inc.                                                                                          Page 23 of 74
                                                                                          Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

systems that reside on the O365 platform. The following diagram depicts the typical deliverables and
activities required in order the implement and validate a system and maintain its validated state during
operation.

                                   • Validation Plan and Reporting
      Implementation               • User Requirement and Acceptance Testing
                                   • Installation Qualification

                                   • Incident Management
           Operation               • Operational Change Control
                                   • Periodic Review

                              Figure 3 – Typical Validation Activities/Deliverables

Additional information for GxP computerized system validation can be found within the following
guidance documents:
          PIC / S - Good Practices for Computerised Systems in Regulated “GxP” Environments (Ref. [17])
          GAMP 5 - A Risk-Based Approach to Compliant GxP computerized systems (Ref. [6])
3.1       Qualification Activities and Responsibilities
          By utilizing the O365 platform, the customer is effectively outsourcing the management and
          operations of their IT infrastructure and of the application development to Microsoft. However, it
          is important to note that, “the regulated company remains responsible for the regulatory
          compliance of their IT operations regardless of whether they choose to outsource/offshore some
          or all of their IT Infrastructure processes to external service provider(s). Compliance oversight and
          approvals cannot be delegated to the outsource partner.”8

8
    ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Ref. [7])

© 2013 Montrium Inc.                                                                                          Page 24 of 74
                                                                                          Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

        A summary of the Customer’s and Microsoft’s responsibilities, as they relate to the qualification
        and validation activities is provided below. A detailed description of each party’s responsibilities,
        as they relate to the applicable regulatory requirements, is provided in Section 3.2 (21 CFR Part
        11) and Section 3.3 (Annex 11).
3.1.1    Summary of Microsoft Responsibilities
         Microsoft is responsible for ensuring that O365 meets the terms defined within the governing
         Service Level Agreements (see Section 2.5.9). When new customer environments are deployed
         within the O365 platform, they are created using the default configuration established by
         Microsoft. Microsoft is responsible for ensuring the system is capable of meeting the
         specifications and the terms of the SLA(s).
         The O365 platform must be managed in a controlled and secured manner, so as to provide the
         following key elements in relation to customer data:
                  Confidentiality - ensuring that information is accessible only to those authorized to have
                   access
                  Integrity - safeguarding the accuracy and completeness of information and processing
                   methods
                  Availability - ensuring that authorized users have access to information and associated
                   assets when required
         The controls identified in Section 2.5 are implemented, managed and maintained by Microsoft
         to ensure that the above key requirements can be met.
3.1.2    Summary of Customer Responsibilities
         The customer is responsible for performing the following activities for each GxP computerized
         system requiring qualification and validation within the O365 platform:
              1) Develop or identify procedural controls governing the use of the GxP computerized
                 system. These procedural controls should cover the topics as described in Appendix A,
                 as well as any other controlled processes which are impacted by the GxP computerized
                 system including the following:
                       a. Use of Live IDs and passwords
                       b. Account access to the O365 platform
                       c. Compliance management with applicable laws and regulations
                       d. Customer data encryption requirements
                       e. O365 SMAPI access certificates acquisition
                       f. Data access mechanism (public or signed access) for data contained with the
                          O365 platform
                       g. SharePoint environment configuration
                       h. Data backup upon O365 subscription termination

© 2013 Montrium Inc.                                                                                     Page 25 of 74
                                                                                     Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

                       i. Protection of account-related secrecy
                       j. Security Development Lifecycle for applications developed on O365
                       k. Quality assurance of applications before moving to O365 Production
                       l. Security monitoring for applications developed on O365
                       m. Public O365 security and patch updates review
                       n. Patch application when not subscribed to auto-upgrade
                       o. Incident and alert reporting to Microsoft when those are specific to customer
                          systems and O365
                       p. Incident response support with the O365 team
              2) Determine the GxP requirements that apply to the O365 based on its intended use.
              3) Follow internal procedures governing Qualification and/or Validation processes,
                 expected deliverables would include but are not limited to:
                       a. Qualification / Validation plan describing the activities, responsibilities and
                          deliverables to be produced for GxP computerized system configured on the
                          O365 platform
                       b. Specification documentation describing the GxP computerized system’s
                          requirements, functionality and intended use
                       c. Risk Assessments covering both the decision to configure the GxP computerized
                          system within the O365 platform, and a functional risk assessment of the GxP
                          computerized system. The assessments should include mitigation actions
                          required to address identified risks
                       d. Verification documentation providing evidence that the GxP computerized
                          system meets its intended use as defined within relevant specification
                          documents
              4) Maintain and operate the GxP computerized system in a secure and controlled manner
                 according to internally developed procedures as defined in point 1) above.
3.2    US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment
       The following table outlines the assessment that was performed on each regulatory requirement
       of US FDA 21 CFR Part 11 which were identified as in scope in Section 1.2 of this document. The
       primary objective of the assessment is to identify the procedural and technical controls that are
       required to satisfy the different regulatory requirements.
       In conjunction with the responsibilities identified in Section 3.1, we further identify which controls
       fall within the responsibility of Microsoft versus the controls that are considered the responsibility
       of the customer when using the O365 platform for regulated GxP computerized systems.

© 2013 Montrium Inc.                                                                                    Page 26 of 74
                                                                                    Document MTM-O365-GDE-01 Revision 01
Qualification Guideline for Microsoft Office 365

         Sec. 11.10 Controls for closed syste ms.

                           11.10 (a)

SEC. 11.10 CONTROLS FOR CLOSED SYSTEMS.
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ
procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the
confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed
record as not genuine. Such procedures and controls shall include the following:
11.10 (a)
Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to
discern invalid or altered records.
Customer – Regulated User
The customer is responsible for ensuring any GxP computerized system used to produce and/or manage
electronic records is validated according to an approved and effective procedure. This procedure should
ensure that the validation verifies accuracy, reliability, consistent intended performance, and the ability to
discern invalid or altered records. Additional details regarding the qualification / validation activities are
provided in Section 3.1.2.
Description of activities, documentation and controls:
        Perform computer system validation activities for GxP computerized systems as defined within the
         governing the computer system validation procedure to ensure accuracy, reliability, consistent
         intended performance, and the ability to discern invalid or altered records;
        Document the qualification/validation activities performed prior to and during the configuration of
         the GxP computerized systems configured on the O365 platform;
        Establish appropriate system performance monitoring to ensure consistent availability and
         performance of GxP computerized system.
Microsoft – Cloud service provider
Microsoft is not responsible for validation of the GxP computerized systems configured within the O365
platform. Microsoft is responsible for ensuring the O365 platform performs consistently and reliably by
implementing adequate controls over the development, deployment and testing of the software
applications which make up the O365 platform.
Microsoft meets these requirements through the following controls:
        System Monitoring and Maintenance (see Section 2.5.4)
        Software Development / Change Management (see Section 2.5.7)

© 2013 Montrium Inc.                                                                                                 Page 27 of 74
                                                                                                 Document MTM-O365-GDE-01 Revision 01
You can also read
Next slide ... Cancel